Merge pull request #11073 from github/aeisenberg/vscode-ttl-docs

Update docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>

.github/actions/fetch-codeql/action.yml

@@ -1,14 +1,22 @@
 name: Fetch CodeQL
 description: Fetches the latest version of CodeQL
+
+inputs:
+  channel:
+    description: 'The CodeQL channel to use'
+    required: false
+    default: 'nightly'
+
 runs:
   using: composite
   steps:
     - name: Fetch CodeQL
       shell: bash
-      run: |
-        gh extension install github/gh-codeql
-        gh codeql set-channel nightly
-        gh codeql version
-        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
       env:
         GITHUB_TOKEN: ${{ github.token }}
+        CHANNEL: ${{ inputs.channel }}
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql set-channel "$CHANNEL"
+        gh codeql version
+        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"

.github/labeler.yml

@@ -43,3 +43,14 @@ documentation:
 "QL-for-QL":
   - ql/**/*
   - .github/workflows/ql-for-ql*
+
+# Since these are all shared files that need to be synced, just pick _one_ copy of each.
+"DataFlow Library":
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
+
+"ATM":
+  - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/atm-check-queries-run.yml

@@ -0,0 +1,56 @@
+name: ATM Check Queries Run
+
+env:
+  DB_PATH: test_db
+  ATM_MODEL_PACK: javascript/ql/experimental/adaptivethreatmodeling/src
+  QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/atm-check-queries-run.yml"
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+  workflow_dispatch:
+
+jobs:
+  run-atm-queries:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install CodeQL CLI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh extensions install github/gh-codeql
+          gh codeql download
+
+      - name: Install ATM model pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -exu
+          
+          # Install ATM model pack
+          gh codeql pack install ${ATM_MODEL_PACK}
+
+          # Retrieve model checksum
+          model_checksum=$(gh codeql resolve extensions ${ATM_MODEL_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum')
+
+          # Trust the model so that we can use it in the ATM boosted queries
+          mkdir -p "$HOME/.config/codeql"
+          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
+
+      - name: Create test DB
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh codeql database create ${RUNNER_TEMP}/${DB_PATH} --source-root config/atm/ --language javascript 
+
+      - name: Run ATM query suite
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${ATM_MODEL_PACK}/${QUERY_SUITE}
+      

.github/workflows/atm-model-integration-tests.yml

@@ -0,0 +1,12 @@
+name: ATM Model Integration Tests
+
+on:
+  workflow_dispatch:
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: foo
+        run: echo "Hello world"

.github/workflows/compile-queries.yml

@@ -0,0 +1,57 @@
+name: "Compile all queries using the latest stable CodeQL CLI"
+
+on:
+  push:
+    branches: [main] # makes sure the cache gets populated
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+
+jobs:
+  compile-queries:
+    runs-on: ubuntu-latest-xl
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      # calculate the merge-base with main, in a way that works both on PRs and pushes to main. 
+      - name: Calculate merge-base
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          BASE_BRANCH: ${{ github.base_ref }}
+        run: |
+          MERGE_BASE=$(git merge-base --fork-point origin/$BASE_BRANCH)
+          echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
+      - name: Calculate merge-base - branch
+        if: ${{ github.event_name != 'pull_request' }}
+        # using github.sha instead, since we're directly on a branch, and not in a PR
+        run: |
+          MERGE_BASE=${{ github.sha }}
+          echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
+      - name: Cache CodeQL query compilation
+        uses: actions/cache@v3
+        with:
+          path: '*/ql/src/.cache'
+          # current GH HEAD first, merge-base second, generic third
+          key: codeql-stable-compile-${{ github.sha }}
+          restore-keys: |
+            codeql-stable-compile-${{ env.merge-base }}
+            codeql-stable-compile-
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: 'release'
+      - name: check formatting
+        run: codeql query format */ql/{src,lib,test}/**/*.{qll,ql} --check-only
+      - name: compile queries - check-only
+        # run with --check-only if running in a PR (github.sha != main)
+        if : ${{ github.event_name == 'pull_request' }}
+        shell: bash
+        run: codeql query compile -j0 */ql/src --keep-going --warnings=error --check-only
+      - name: compile queries - full
+        # do full compile if running on main - this populates the cache
+        if : ${{ github.event_name != 'pull_request' }}
+        shell: bash
+        run: codeql query compile -j0 */ql/src --keep-going --warnings=error

.github/workflows/ruby-build.yml

@@ -96,8 +96,8 @@ jobs:
       - name: Build Query Pack
         run: |
           codeql pack create ../shared/ssa --output target/packs
+          codeql pack create ../misc/suite-helpers --output target/packs
           codeql pack create ql/lib --output target/packs
-          codeql pack install ql/src
           codeql pack create ql/src --output target/packs
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
           codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
@@ -202,7 +202,7 @@ jobs:
           echo 'name: sample-tests
           version: 0.0.0
           dependencies:
-            codeql/ruby-all: 0.0.1
+            codeql/ruby-all: "*"
           extractor: ruby
           tests: .
           ' > qlpack.yml

.github/workflows/swift-autobuilder.yml

@@ -1,27 +0,0 @@
-name: "Swift: Build and test Xcode autobuilder"
-
-on:
-  pull_request:
-    paths:
-      - "swift/xcode-autobuilder/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift-autobuilder.yml
-    branches:
-      - main
-
-jobs:
-  autobuilder:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - name: Build the Xcode autobuilder
-        run: |
-          bazel build //swift/xcode-autobuilder
-      - name: Test the Xcode autobuilder
-        run: |
-          bazel test //swift/xcode-autobuilder/tests

.github/workflows/swift-codegen.yml

@@ -1,44 +0,0 @@
-name: "Swift: Check code generation"
-
-on:
-  pull_request:
-    paths:
-      - "swift/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift-codegen.yml
-      - .github/actions/fetch-codeql/action.yml
-    branches:
-      - main
-defaults:
-  run:
-    working-directory: swift
-
-jobs:
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - uses: pre-commit/action@v3.0.0
-        name: Check that python code is properly formatted
-        with:
-          extra_args: autopep8 --all-files
-      - name: Run unit tests
-        run: |
-          bazel test //swift/codegen/test --test_output=errors
-      - uses: pre-commit/action@v3.0.0
-        name: Check that QL generated code was checked in
-        with:
-          extra_args: swift-codegen --all-files
-      - name: Generate C++ files
-        run: |
-          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-cpp-files
-      - uses: actions/upload-artifact@v3
-        with:
-          name: swift-generated-cpp-files
-          path: swift-generated-cpp-files/**

.github/workflows/swift-integration-tests.yml

@@ -1,47 +0,0 @@
-name: "Swift: Run Integration Tests"
-
-on:
-  pull_request:
-    paths:
-      - "swift/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift-integration-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-defaults:
-  run:
-    working-directory: swift
-
-jobs:
-  integration-tests:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-20.04
-#          - macos-latest  TODO
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - name: Build Swift extractor
-        run: |
-          bazel run //swift:create-extractor-pack
-      - name: Get Swift version
-        id: get_swift_version
-        run: |
-          VERSION=$(bazel run //swift/extractor -- --version | sed -ne 's/.*version \(\S*\).*/\1/p')
-          echo "::set-output name=version::$VERSION"
-      - uses: swift-actions/setup-swift@v1
-        with:
-          swift-version: "${{steps.get_swift_version.outputs.version}}"
-      - name: Run integration tests
-        run: |
-          python integration-tests/runner.py

.github/workflows/swift-qltest.yml

@@ -1,46 +0,0 @@
-name: "Swift: Run QL Tests"
-
-on:
-  pull_request:
-    paths:
-      - "swift/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift-qltest.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-defaults:
-  run:
-    working-directory: swift
-
-jobs:
-  qlformat:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - name: Check QL formatting
-        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
-  qltest:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os : [ubuntu-20.04, macos-latest]
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - name: Build Swift extractor
-        run: |
-          bazel run //swift:create-extractor-pack
-      - name: Run QL tests
-        run: |
-          codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -0,0 +1,121 @@
+name: "Swift"
+
+on:
+  pull_request:
+    paths:
+      - "swift/**"
+      - "misc/bazel/**"
+      - "*.bazel*"
+      - .github/workflows/swift.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+      - .pre-commit-config.yaml
+      - "!**/*.md"
+      - "!**/*.qhelp"
+    branches:
+      - main
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      codegen: ${{ steps.filter.outputs.codegen }}
+      ql: ${{ steps.filter.outputs.ql }}
+    steps:
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: filter
+        with:
+          filters: |
+            codegen:
+              - 'github/workflows/swift.yml'
+              - "misc/bazel/**"
+              - "*.bazel*"
+              - 'swift/actions/setup-env/**'
+              - '.pre-commit-config.yaml'
+              - 'swift/codegen/**'
+              - 'swift/schema.py'
+              - 'swift/**/*.dbscheme'
+              - 'swift/ql/lib/codeql/swift/elements.qll'
+              - 'swift/ql/lib/codeql/swift/elements/**'
+              - 'swift/ql/lib/codeql/swift/generated/**'
+              - 'swift/ql/test/extractor-tests/generated/**'
+            ql:
+              - 'github/workflows/swift.yml'
+              - 'swift/**/*.ql'
+              - 'swift/**/*.qll'
+  # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
+  # without waiting for the macOS build
+  build-and-test-macos:
+    runs-on: macos-12-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/create-extractor-pack
+      - uses: ./swift/actions/run-quick-tests
+  build-and-test-linux:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/create-extractor-pack
+      - uses: ./swift/actions/run-quick-tests
+  qltests-linux:
+    needs: build-and-test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-ql-tests
+  qltests-macos:
+    needs: build-and-test-macos
+    runs-on: macos-12-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-ql-tests
+        with:
+          flags: --slice ${{ matrix.slice }}
+  integration-tests-linux:
+    needs: build-and-test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-integration-tests
+  integration-tests-macos:
+    needs: build-and-test-macos
+    runs-on: macos-12-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-integration-tests
+  codegen:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.codegen == 'true' }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/setup-env
+      - uses: pre-commit/action@v3.0.0
+        name: Check that python code is properly formatted
+        with:
+          extra_args: autopep8 --all-files
+      - uses: ./.github/actions/fetch-codeql
+      - uses: pre-commit/action@v3.0.0
+        name: Check that QL generated code was checked in
+        with:
+          extra_args: swift-codegen --all-files
+      - name: Generate C++ files
+        run: |
+          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
+      - uses: actions/upload-artifact@v3
+        with:
+          name: swift-generated-cpp-files
+          path: swift/generated-cpp-files/**
+  qlformat:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.ql == 'true' }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check QL formatting
+        run: find swift/ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only

change-notes/1.20/analysis-javascript.md

@@ -52,7 +52,7 @@
 | Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
 | Unsafe dynamic method access              | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
 | Unused parameter                           | Fewer false positive results | This query no longer flags parameters with leading underscore. |
-| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
+| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implicitly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
 | Unvalidated dynamic method call           | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
 | Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
 | Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |

change-notes/1.23/analysis-cpp.md

@@ -19,7 +19,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
 | Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
-| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
 | Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
 | Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
 | Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |

change-notes/1.24/analysis-javascript.md

@@ -91,7 +91,7 @@
 
 ## Changes to libraries
 
-* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
+* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimic this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
 * An extensible model of the `EventEmitter` pattern has been implemented.
 * Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
   that combine taint-tracking and flow labels.

codeql-workspace.yml

@@ -17,6 +17,7 @@ provide:
   # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
   - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
   - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"

config/atm/ml-powered-queries-repo/add-note.js

@@ -0,0 +1,21 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+
+(async () => {
+  if (process.argv.length != 5) {
+    Logger.log("Creates a private note.  Usage: node add-note.js <token> <title> <body>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const [userToken, title, body] = process.argv.slice(2);
+  await Note.create({ title, body, userToken });
+
+  Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
+
+  await mongoose.connection.close();
+})();

config/atm/ml-powered-queries-repo/app.js

@@ -0,0 +1,68 @@
+const bodyParser = require('body-parser');
+const express = require('express');
+const mongoose = require('mongoose');
+
+const notesApi = require('./notes-api');
+const usersApi = require('./users-api');
+
+const addSampleData = module.exports.addSampleData = async () => {
+  const [userA, userB] = await User.create([
+    {
+      name: "A",
+      token: "tokenA"
+    },
+    {
+      name: "B",
+      token: "tokenB"
+    }
+  ]);
+
+  await Note.create([
+    {
+      title: "Public note belonging to A",
+      body: "This is a public note belonging to A",
+      isPublic: true,
+      ownerToken: userA.token
+    },
+    {
+      title: "Public note belonging to B",
+      body: "This is a public note belonging to B",
+      isPublic: true,
+      ownerToken: userB.token
+    },
+    {
+      title: "Private note belonging to A",
+      body: "This is a private note belonging to A",
+      ownerToken: userA.token
+    },
+    {
+      title: "Private note belonging to B",
+      body: "This is a private note belonging to B",
+      ownerToken: userB.token
+    }
+  ]);
+}
+
+module.exports.startApp = async () => {
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
+  // Drop contents of DB
+  mongoose.connection.dropDatabase();
+  // Add some sample data
+  await addSampleData();
+
+  const app = express();
+
+  app.use(bodyParser.json());
+  app.use(bodyParser.urlencoded());
+
+  app.get('/', async (_req, res) => {
+    res.send('Hello World');
+  });
+
+  app.use('/api/notes', notesApi.router);
+  app.use('/api/users', usersApi.router);
+
+  app.listen(3000);
+  Logger.log('Express started on port 3000');
+};

config/atm/ml-powered-queries-repo/index.js

@@ -0,0 +1,7 @@
+const startApp = require('./app').startApp;
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+startApp();

config/atm/ml-powered-queries-repo/logger.js

@@ -0,0 +1,5 @@
+module.exports.Logger = class {
+  log(message, ...objs) {
+    console.log(message, objs);
+  }
+};

config/atm/ml-powered-queries-repo/models/note.js

@@ -0,0 +1,8 @@
+const mongoose = require('mongoose');
+
+module.exports.Note = mongoose.model('Note', new mongoose.Schema({
+  title: String,
+  body: String,
+  ownerToken: String,
+  isPublic: Boolean
+}));

config/atm/ml-powered-queries-repo/models/user.js

@@ -0,0 +1,6 @@
+const mongoose = require('mongoose');
+
+module.exports.User = mongoose.model('User', new mongoose.Schema({
+  name: String,
+  token: String
+}));

config/atm/ml-powered-queries-repo/notes-api.js

@@ -0,0 +1,44 @@
+const express = require('express')
+
+const router = module.exports.router = express.Router();
+
+function serializeNote(note) {
+  return {
+    title: note.title,
+    body: note.body
+  };
+}
+
+router.post('/find', async (req, res) => {
+  const notes = await Note.find({
+    ownerToken: req.body.token
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.get('/findPublic', async (_req, res) => {
+  const notes = await Note.find({
+    isPublic: true
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.post('/findVisible', async (req, res) => {
+  const notes = await Note.find({
+    $or: [
+      {
+        isPublic: true
+      },
+      {
+        ownerToken: req.body.token
+      }
+    ]
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});

config/atm/ml-powered-queries-repo/read-notes.js

@@ -0,0 +1,37 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+(async () => {
+  if (process.argv.length != 3) {
+    Logger.log("Outputs all notes visible to a user.  Usage: node read-notes.js <token>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const ownerToken = process.argv[2];
+
+  const user = await User.findOne({
+    token: ownerToken
+  }).exec();
+
+  const notes = await Note.find({
+    $or: [
+      { isPublic: true },
+      { ownerToken }
+    ]
+  }).exec();
+
+  notes.map(note => {
+    Logger.log("Title:" + note.title);
+    Logger.log("By:" + user.name);
+    Logger.log("Body:" + note.body);
+    Logger.log();
+  });
+
+  await mongoose.connection.close();
+})();

config/atm/ml-powered-queries-repo/users-api.js

@@ -0,0 +1,25 @@
+const express = require('express')
+
+Logger = require('./logger').Logger;
+const router = module.exports.router = express.Router();
+
+router.post('/updateName', async (req, res) => {
+  Logger.log("/updateName called with new name", req.body.name);
+  await User.findOneAndUpdate({
+    token: req.body.token
+  }, {
+    name: req.body.name
+  }).exec();
+  res.json({
+    name: req.body.name
+  });
+});
+
+router.post('/getName', async (req, res) => {
+  const user = await User.findOne({
+    token: req.body.token
+  }).exec();
+  res.json({
+    name: user.name
+  });
+});

cpp/ql/examples/qlpack.yml

@@ -3,4 +3,4 @@ groups:
   - cpp
   - examples
 dependencies:
-  codeql/cpp-all: "*"
+  codeql/cpp-all: ${workspace}

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.
+
 ## 0.4.2
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,5 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll

@@ -4,6 +4,12 @@
  * variable), and `v` is an integer in the range `[0 .. m-1]`.
  */
 
+/*
+ * The main recursion has base cases in both `ssaModulus` (for guarded reads) and `semExprModulus`
+ * (for constant values). The most interesting recursive case is `phiModulusRankStep`, which
+ * handles phi inputs.
+ */
+
 private import ModulusAnalysisSpecific::Private
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
@@ -162,6 +168,11 @@ private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod
  */
 pragma[nomagic]
 private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
+  /*
+   * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+   * class for the phi node.
+   */
+
   rix = 0 and
   phiModulusInit(phi, b, val, mod)
   or
@@ -169,6 +180,12 @@ private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int
     mod != 1 and
     val = remainder(v1, mod)
   |
+    /*
+     * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+     * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+     * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+     */
+
     exists(int v2, int m2 |
       rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
       phiModulusRankStep(phi, b, v1, m1, rix - 1) and
@@ -176,6 +193,12 @@ private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int
       mod = m1.gcd(m2).gcd(v1 - v2)
     )
     or
+    /*
+     * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+     * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+     * common denominator of `m1` and `m2`.
+     */
+
     exists(int m2 |
       rankedPhiInput(phi, inp, edge, rix) and
       phiModulusRankStep(phi, b, v1, m1, rix - 1) and

cpp/ql/lib/qlpack.yml

@@ -1,9 +1,9 @@
 name: codeql/cpp-all
-version: 0.4.2
+version: 0.4.3
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 upgrades: upgrades
 dependencies:
-  codeql/ssa: 0.0.1
+  codeql/ssa: ${workspace}

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -1125,12 +1125,12 @@ class FormatLiteral extends Literal {
         exists(int dot, int afterdot |
           (if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
           (
-            (
-              if this.hasExplicitPrecision(n)
-              then afterdot = this.getPrecision(n)
-              else not this.hasImplicitPrecision(n)
-            ) and
-            afterdot = 6
+            if this.hasExplicitPrecision(n)
+            then afterdot = this.getPrecision(n)
+            else (
+              not this.hasImplicitPrecision(n) and
+              afterdot = 6
+            )
           ) and
           len = 1 + 309 + dot + afterdot
         ) and
@@ -1140,12 +1140,12 @@ class FormatLiteral extends Literal {
         exists(int dot, int afterdot |
           (if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
           (
-            (
-              if this.hasExplicitPrecision(n)
-              then afterdot = this.getPrecision(n)
-              else not this.hasImplicitPrecision(n)
-            ) and
-            afterdot = 6
+            if this.hasExplicitPrecision(n)
+            then afterdot = this.getPrecision(n)
+            else (
+              not this.hasImplicitPrecision(n) and
+              afterdot = 6
+            )
           ) and
           len = 1 + 1 + dot + afterdot + 1 + 1 + 3
         ) and
@@ -1155,12 +1155,12 @@ class FormatLiteral extends Literal {
         exists(int dot, int afterdot |
           (if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
           (
-            (
-              if this.hasExplicitPrecision(n)
-              then afterdot = this.getPrecision(n)
-              else not this.hasImplicitPrecision(n)
-            ) and
-            afterdot = 6
+            if this.hasExplicitPrecision(n)
+            then afterdot = this.getPrecision(n)
+            else (
+              not this.hasImplicitPrecision(n) and
+              afterdot = 6
+            )
           ) and
           // note: this could be displayed in the style %e or %f;
           //       however %f is only used when 'P > X >= -4'

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -2874,54 +2874,16 @@ private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
   }
 }
 
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source are generated.
- */
-class PathNode extends TPathNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  string toStringWithContext() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    none()
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { this.(PathNodeImpl).getNodeEx().projectToNode() = result }
-
+abstract private class PathNodeImpl extends TPathNode {
   /** Gets the `FlowState` of this node. */
-  FlowState getState() { none() }
+  abstract FlowState getState();
 
   /** Gets the associated configuration. */
-  Configuration getConfiguration() { none() }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
-  }
+  abstract Configuration getConfiguration();
 
   /** Holds if this node is a source. */
-  predicate isSource() { none() }
-}
+  abstract predicate isSource();
 
-abstract private class PathNodeImpl extends PathNode {
   abstract PathNodeImpl getASuccessorImpl();
 
   private PathNodeImpl getASuccessorIfHidden() {
@@ -2967,13 +2929,23 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+  /** Gets a textual representation of this element. */
+  string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() {
-    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
-  }
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx() }
 
-  override predicate hasLocationInfo(
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getNodeEx().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -2986,14 +2958,59 @@ private predicate directReach(PathNodeImpl n) {
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
-private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
+private predicate reach(PathNodeImpl n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+private predicate pathSucc(PathNodeImpl n1, PathNodeImpl n2) {
   n1.getANonHiddenSuccessor() = n2 and directReach(n2)
 }
 
-private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+private predicate pathSuccPlus(PathNodeImpl n1, PathNodeImpl n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+ */
+class PathNode instanceof PathNodeImpl {
+  PathNode() { reach(this) }
+
+  /** Gets a textual representation of this element. */
+  final string toString() { result = super.toString() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  final string toStringWithContext() { result = super.toStringWithContext() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  final predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the underlying `Node`. */
+  final Node getNode() { super.getNodeEx().projectToNode() = result }
+
+  /** Gets the `FlowState` of this node. */
+  final FlowState getState() { result = super.getState() }
+
+  /** Gets the associated configuration. */
+  final Configuration getConfiguration() { result = super.getConfiguration() }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() { result = super.getANonHiddenSuccessor() }
+
+  /** Holds if this node is a source. */
+  final predicate isSource() { super.isSource() }
+}
 
 /**
  * Provides the query predicates needed to include a graph in a path-problem query.
@@ -3004,7 +3021,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
+    key = "semmle.label" and val = n.toString()
   }
 
   /**
@@ -3013,11 +3030,7 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    Subpaths::subpaths(arg, par, ret, out) and
-    reach(arg) and
-    reach(par) and
-    reach(ret) and
-    reach(out)
+    Subpaths::subpaths(arg, par, ret, out)
   }
 }
 
@@ -3399,7 +3412,7 @@ private module Subpaths {
    */
   pragma[nomagic]
   private predicate subpaths02(
-    PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
+    PathNodeImpl arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, FlowState sout, AccessPath apout
   ) {
     subpaths01(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3407,14 +3420,14 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private Configuration getPathNodeConf(PathNode n) { result = n.getConfiguration() }
+  private Configuration getPathNodeConf(PathNodeImpl n) { result = n.getConfiguration() }
 
   /**
    * Holds if `(arg, par, ret, out)` forms a subpath-tuple.
    */
   pragma[nomagic]
   private predicate subpaths03(
-    PathNode arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
+    PathNodeImpl arg, ParamNodeEx par, PathNodeMid ret, NodeEx out, FlowState sout, AccessPath apout
   ) {
     exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode |
       subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and
@@ -3444,7 +3457,7 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNodeImpl out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
       pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
@@ -3460,7 +3473,7 @@ private module Subpaths {
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
   predicate retReach(PathNodeImpl n) {
-    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
+    exists(PathNodeImpl out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
     exists(PathNodeImpl mid |
       retReach(mid) and
@@ -3477,11 +3490,12 @@ private module Subpaths {
  * sinks.
  */
 private predicate flowsTo(
-  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+  PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink,
+  Configuration configuration
 ) {
   flowsource.isSource() and
   flowsource.getConfiguration() = configuration and
-  flowsource.(PathNodeImpl).getNodeEx().asNode() = source and
+  flowsource.getNodeEx().asNode() = source and
   (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
   flowsink.getNodeEx().asNode() = sink
 }
@@ -3504,14 +3518,14 @@ private predicate finalStats(
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state)) and
-  tuples = count(PathNode pn)
+  tuples = count(PathNodeImpl pn)
   or
   fwd = false and
   nodes = count(NodeEx n0 | exists(PathNodeImpl pn | pn.getNodeEx() = n0 and reach(pn))) and
   fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
   conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
   states = count(FlowState state | exists(PathNodeMid pn | pn.getState() = state and reach(pn))) and
-  tuples = count(PathNode pn | reach(pn))
+  tuples = count(PathNode pn)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -98,16 +98,16 @@ class ParameterPosition = Position;
 /** An argument position represented by an integer. */
 class ArgumentPosition = Position;
 
-class Position extends TPosition {
+abstract class Position extends TPosition {
   abstract string toString();
 }
 
-class DirectPosition extends TDirectPosition {
+class DirectPosition extends Position, TDirectPosition {
   int index;
 
   DirectPosition() { this = TDirectPosition(index) }
 
-  string toString() {
+  override string toString() {
     index = -1 and
     result = "this"
     or
@@ -118,12 +118,12 @@ class DirectPosition extends TDirectPosition {
   int getIndex() { result = index }
 }
 
-class IndirectionPosition extends TIndirectionPosition {
+class IndirectionPosition extends Position, TIndirectionPosition {
   int index;
 
   IndirectionPosition() { this = TIndirectionPosition(index) }
 
-  string toString() {
+  override string toString() {
     index = -1 and
     result = "this"
     or

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

@@ -16,15 +16,36 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions
 
-/** Gets the sub-expression of 'e' with the earliest-starting Location */
+/**
+ * Gets a child of `e`, including conversions but excluding call arguments.
+ */
+pragma[inline]
+Expr getAChildWithConversions(Expr e) {
+  result.getParentWithConversions() = e and
+  not result = any(Call c).getAnArgument()
+}
+
+/**
+ * Gets the left-most column position of any transitive child of `e` (including
+ * conversions but excluding call arguments).
+ */
+int getCandidateColumn(Expr e) {
+  result = e.getLocation().getStartColumn() or
+  result = getCandidateColumn(getAChildWithConversions(e))
+}
+
+/**
+ * Gets the transitive child of `e` (including conversions but excluding call
+ * arguments) at the left-most column position, preferring less deeply nested
+ * expressions if there is a choice.
+ */
 Expr normalizeExpr(Expr e) {
-  result =
-    min(Expr child |
-      child.getParentWithConversions*() = e.getFullyConverted() and
-      not child.getParentWithConversions*() = any(Call c).getAnArgument()
-    |
-      child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
-    )
+  e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
+  result = e
+  or
+  not e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
+  result = normalizeExpr(getAChildWithConversions(e)) and
+  result.getLocation().getStartColumn() = min(getCandidateColumn(e))
 }
 
 predicate isParenthesized(CommaExpr ce) {
@@ -43,8 +64,8 @@ from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
 where
   ce.fromSource() and
   not isFromMacroDefinition(ce) and
-  left = normalizeExpr(ce.getLeftOperand()) and
-  right = normalizeExpr(ce.getRightOperand()) and
+  left = normalizeExpr(ce.getLeftOperand().getFullyConverted()) and
+  right = normalizeExpr(ce.getRightOperand().getFullyConverted()) and
   leftLoc = left.getLocation() and
   rightLoc = right.getLocation() and
   not isParenthesized(ce) and

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+
 ## 0.4.2
 
 ### New Queries

cpp/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,5 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql

@@ -38,9 +38,9 @@ predicate hasNontrivialDestructor(Class c) {
 from Class c
 where
   (hasPointerMember(c) or hasNontrivialDestructor(c)) and
-  not (
-    c.getAMemberFunction() instanceof CopyConstructor and
-    c.getAMemberFunction() instanceof CopyAssignmentOperator
+  (
+    c.hasImplicitCopyAssignmentOperator() or
+    c.hasImplicitCopyConstructor()
   ) and
   not c instanceof Struct
 select c,

cpp/ql/src/qlpack.yml

@@ -1,11 +1,11 @@
 name: codeql/cpp-queries
-version: 0.4.2
+version: 0.4.3
 groups: 
   - cpp
   - queries
 dependencies:
-    codeql/cpp-all: "*"
-    codeql/suite-helpers: "*"
+    codeql/cpp-all: ${workspace}
+    codeql/suite-helpers: ${workspace}
 suites: codeql-suites
 extractor: cpp
 defaultSuiteFile: codeql-suites/cpp-code-scanning.qls

cpp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -137,6 +137,7 @@ abstract class InlineExpectationsTest extends string {
   final predicate hasFailureMessage(FailureLocatable element, string message) {
     exists(ActualResult actualResult |
       actualResult.getTest() = this and
+      actualResult.getTag() = this.getARelevantTag() and
       element = actualResult and
       (
         exists(FalseNegativeExpectation falseNegative |
@@ -150,9 +151,18 @@ abstract class InlineExpectationsTest extends string {
       )
     )
     or
+    exists(ActualResult actualResult |
+      actualResult.getTest() = this and
+      not actualResult.getTag() = this.getARelevantTag() and
+      element = actualResult and
+      message =
+        "Tag mismatch: Actual result with tag '" + actualResult.getTag() +
+          "' that is not part of getARelevantTag()"
+    )
+    or
     exists(ValidExpectation expectation |
       not exists(ActualResult actualResult | expectation.matchesActualResult(actualResult)) and
-      expectation.getTag() = getARelevantTag() and
+      expectation.getTag() = this.getARelevantTag() and
       element = expectation and
       (
         expectation instanceof GoodExpectation and

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -2,43 +2,21 @@ edges
 | test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:15 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
 | test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
-| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
 | test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
 | test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
 | test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
-| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
-| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
 | test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
@@ -116,7 +94,6 @@ edges
 | test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
 | test.cpp:8:16:8:16 | Load | test.cpp:12:16:12:16 | Load |
 | test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
-| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
 | test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
 | test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
 | test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
@@ -139,62 +116,30 @@ edges
 | test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
 | test.cpp:11:16:11:16 | Load | test.cpp:12:16:12:16 | Load |
 | test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
-| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
-| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
 | test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
 | test.cpp:16:15:16:20 | call to malloc | test.cpp:17:15:17:15 | Load |
 | test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
-| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
 | test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
 | test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
-| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
-| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
 | test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
 | test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:15 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
 | test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
-| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
 | test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
 | test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
 | test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
-| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
-| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
 | test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
@@ -272,7 +217,6 @@ edges
 | test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
 | test.cpp:32:16:32:16 | Load | test.cpp:36:16:36:16 | Load |
 | test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
-| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
 | test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
 | test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
 | test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
@@ -295,49 +239,25 @@ edges
 | test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
 | test.cpp:35:16:35:16 | Load | test.cpp:36:16:36:16 | Load |
 | test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
-| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
-| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
 | test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
 | test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:15 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
 | test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
-| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
 | test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
 | test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
 | test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
-| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
-| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
 | test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
 | test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
 | test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
@@ -415,7 +335,6 @@ edges
 | test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
 | test.cpp:44:16:44:16 | Load | test.cpp:48:16:48:16 | Load |
 | test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
-| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
 | test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
 | test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
 | test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
@@ -438,8 +357,6 @@ edges
 | test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
 | test.cpp:47:16:47:16 | Load | test.cpp:48:16:48:16 | Load |
 | test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
-| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
-| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
 | test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
 | test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:62:39:62:39 | Load |
 | test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:66:39:66:39 | Load |
@@ -449,18 +366,13 @@ edges
 | test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:16 | Load |
 | test.cpp:53:5:53:23 | Store | test.cpp:51:33:51:35 | Load indirection |
 | test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
-| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
-| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
 | test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
 | test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | Load indirection |
 | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:62:32:62:34 | Load |
 | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:66:32:66:34 | Load |
 | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:70:31:70:33 | Load |
 | test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
-| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
 | test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
-| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
-| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
 | test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
 | test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:91:20:91:22 | arr indirection [begin] |
 | test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:95:20:95:22 | arr indirection [begin] |
@@ -479,8 +391,6 @@ edges
 | test.cpp:83:15:83:17 | arr indirection [begin] | test.cpp:83:19:83:23 | begin |
 | test.cpp:83:15:83:30 | ... + ... | test.cpp:83:5:83:30 | Store |
 | test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
-| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
-| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
 | test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
 | test.cpp:83:19:83:23 | begin | test.cpp:83:19:83:23 | Load |
 | test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:24:91:28 | begin |
@@ -488,21 +398,18 @@ edges
 | test.cpp:91:24:91:28 | begin | test.cpp:91:47:91:47 | Load |
 | test.cpp:91:36:91:38 | arr indirection [end] | test.cpp:91:40:91:42 | end |
 | test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
-| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
 | test.cpp:91:40:91:42 | end | test.cpp:91:40:91:42 | Load |
 | test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:24:95:28 | begin |
 | test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:47:95:47 | Load |
 | test.cpp:95:24:95:28 | begin | test.cpp:95:47:95:47 | Load |
 | test.cpp:95:36:95:38 | arr indirection [end] | test.cpp:95:40:95:42 | end |
 | test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
-| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
 | test.cpp:95:40:95:42 | end | test.cpp:95:40:95:42 | Load |
 | test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:24:99:28 | begin |
 | test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:46:99:46 | Load |
 | test.cpp:99:24:99:28 | begin | test.cpp:99:46:99:46 | Load |
 | test.cpp:99:35:99:37 | arr indirection [end] | test.cpp:99:39:99:41 | end |
 | test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
-| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
 | test.cpp:99:39:99:41 | end | test.cpp:99:39:99:41 | Load |
 | test.cpp:104:27:104:29 | arr [begin] | test.cpp:105:20:105:22 | arr indirection [begin] |
 | test.cpp:104:27:104:29 | arr [begin] | test.cpp:109:20:109:22 | arr indirection [begin] |
@@ -515,21 +422,18 @@ edges
 | test.cpp:105:24:105:28 | begin | test.cpp:105:47:105:47 | Load |
 | test.cpp:105:36:105:38 | arr indirection [end] | test.cpp:105:40:105:42 | end |
 | test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
-| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
 | test.cpp:105:40:105:42 | end | test.cpp:105:40:105:42 | Load |
 | test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:24:109:28 | begin |
 | test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:47:109:47 | Load |
 | test.cpp:109:24:109:28 | begin | test.cpp:109:47:109:47 | Load |
 | test.cpp:109:36:109:38 | arr indirection [end] | test.cpp:109:40:109:42 | end |
 | test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
-| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
 | test.cpp:109:40:109:42 | end | test.cpp:109:40:109:42 | Load |
 | test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:24:113:28 | begin |
 | test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:46:113:46 | Load |
 | test.cpp:113:24:113:28 | begin | test.cpp:113:46:113:46 | Load |
 | test.cpp:113:35:113:37 | arr indirection [end] | test.cpp:113:39:113:41 | end |
 | test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
-| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
 | test.cpp:113:39:113:41 | end | test.cpp:113:39:113:41 | Load |
 | test.cpp:119:18:119:25 | call to mk_array [begin] | test.cpp:104:27:104:29 | arr [begin] |
 | test.cpp:119:18:119:25 | call to mk_array [end] | test.cpp:104:27:104:29 | arr [end] |
@@ -558,8 +462,6 @@ edges
 | test.cpp:144:16:144:18 | Load indirection [begin] | test.cpp:144:21:144:25 | begin |
 | test.cpp:144:16:144:32 | ... + ... | test.cpp:144:5:144:32 | Store |
 | test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
-| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
-| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
 | test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
 | test.cpp:144:21:144:25 | begin | test.cpp:144:21:144:25 | Load |
 | test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:152:20:152:22 | Load indirection [begin] |
@@ -574,7 +476,6 @@ edges
 | test.cpp:156:25:156:29 | begin | test.cpp:156:49:156:49 | Load |
 | test.cpp:156:37:156:39 | Load indirection [end] | test.cpp:156:42:156:44 | end |
 | test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
-| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
 | test.cpp:156:42:156:44 | end | test.cpp:156:42:156:44 | Load |
 | test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:25:160:29 | begin |
 | test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:48:160:48 | Load |
@@ -590,21 +491,18 @@ edges
 | test.cpp:166:25:166:29 | begin | test.cpp:166:49:166:49 | Load |
 | test.cpp:166:37:166:39 | Load indirection [end] | test.cpp:166:42:166:44 | end |
 | test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
-| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
 | test.cpp:166:42:166:44 | end | test.cpp:166:42:166:44 | Load |
 | test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:25:170:29 | begin |
 | test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:49:170:49 | Load |
 | test.cpp:170:25:170:29 | begin | test.cpp:170:49:170:49 | Load |
 | test.cpp:170:37:170:39 | Load indirection [end] | test.cpp:170:42:170:44 | end |
 | test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
-| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
 | test.cpp:170:42:170:44 | end | test.cpp:170:42:170:44 | Load |
 | test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:25:174:29 | begin |
 | test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:48:174:48 | Load |
 | test.cpp:174:25:174:29 | begin | test.cpp:174:48:174:48 | Load |
 | test.cpp:174:36:174:38 | Load indirection [end] | test.cpp:174:41:174:43 | end |
 | test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
-| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
 | test.cpp:174:41:174:43 | end | test.cpp:174:41:174:43 | Load |
 | test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | test.cpp:165:29:165:31 | arr indirection [begin] |
 | test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | test.cpp:165:29:165:31 | arr indirection [end] |
@@ -614,19 +512,9 @@ edges
 | test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:5 | Load |
 | test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
 | test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
-| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
-| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
-| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
-| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
 | test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
 | test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
 | test.cpp:195:17:195:17 | Load | test.cpp:197:20:197:22 | Load |
-| test.cpp:195:17:195:17 | Load | test.cpp:197:20:197:22 | Load |
-| test.cpp:195:17:195:17 | Load | test.cpp:197:20:197:22 | Load |
-| test.cpp:195:17:195:17 | Load | test.cpp:197:20:197:22 | Load |
-| test.cpp:195:17:195:17 | Load | test.cpp:201:5:201:12 | access to array |
-| test.cpp:195:17:195:17 | Load | test.cpp:201:5:201:12 | access to array |
-| test.cpp:195:17:195:17 | Load | test.cpp:201:5:201:12 | access to array |
 | test.cpp:195:17:195:17 | Load | test.cpp:201:5:201:12 | access to array |
 | test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | Store |
 | test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | Store |
@@ -637,29 +525,15 @@ edges
 | test.cpp:195:17:195:23 | Store | test.cpp:201:5:201:19 | Store: ... = ... |
 | test.cpp:195:17:195:23 | Store | test.cpp:201:5:201:19 | Store: ... = ... |
 | test.cpp:197:20:197:22 | Load | test.cpp:201:5:201:19 | Store: ... = ... |
-| test.cpp:197:20:197:22 | Load | test.cpp:201:5:201:19 | Store: ... = ... |
-| test.cpp:201:5:201:12 | access to array | test.cpp:201:5:201:19 | Store: ... = ... |
 | test.cpp:201:5:201:12 | access to array | test.cpp:201:5:201:19 | Store: ... = ... |
 | test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:17 | Load |
 | test.cpp:205:23:205:28 | call to malloc | test.cpp:208:15:208:15 | Load |
 | test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
 | test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
-| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
 | test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
 | test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
 | test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
-| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
-| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
-| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
 | test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
-| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
-| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
 | test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
 | test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
 | test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | Store |
@@ -671,8 +545,6 @@ edges
 | test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
 | test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
 | test.cpp:209:12:209:14 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
-| test.cpp:209:12:209:14 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
-| test.cpp:213:5:213:6 | * ... | test.cpp:213:5:213:13 | Store: ... = ... |
 | test.cpp:213:5:213:6 | * ... | test.cpp:213:5:213:13 | Store: ... = ... |
 | test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:6 | * ... |
 | test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:13 | Store: ... = ... |

cpp/ql/test/library-tests/printf/formatAttribute/AttributeFormattingFunction.cpp

@@ -0,0 +1,6 @@
+
+typedef void *va_list;
+
+int myPrintf(const char *format, ...) __attribute__((format(printf, 1, 2)));
+int mySprintf(char *buffer, const char *format, ...) __attribute__((format(__printf__, 2, 3)));
+int myVprintf(const char *format, va_list arg) __attribute__((format(printf, 1, 0)));

cpp/ql/test/library-tests/printf/formatAttribute/AttributeFormattingFunction.expected

@@ -0,0 +1,2 @@
+| AttributeFormattingFunction.cpp:4:5:4:12 | myPrintf | 0 | char | wchar_t | wchar_t |
+| AttributeFormattingFunction.cpp:5:5:5:13 | mySprintf | 1 | char | wchar_t | wchar_t |

cpp/ql/test/library-tests/printf/formatAttribute/AttributeFormattingFunction.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from AttributeFormattingFunction f
+select f, f.getFormatParameterIndex(), concat(f.getDefaultCharType().toString(), ", "),
+  concat(f.getWideCharType().toString(), ", "), concat(f.getNonDefaultCharType().toString(), ", ")

cpp/ql/test/library-tests/printf/formatAttribute/FormatAttribute.expected

@@ -0,0 +1,3 @@
+| AttributeFormattingFunction.cpp:4:54:4:59 | format | printf | 0 | 1 |
+| AttributeFormattingFunction.cpp:5:69:5:74 | format | __printf__ | 1 | 2 |
+| AttributeFormattingFunction.cpp:6:63:6:68 | format | printf | 0 |  |

cpp/ql/test/library-tests/printf/formatAttribute/FormatAttribute.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FormatAttribute fa
+select fa, fa.getArchetype(), concat(fa.getFormatIndex().toString(), ", "),
+  concat(fa.getFirstFormatArgIndex().toString(), ", ")

cpp/ql/test/library-tests/printf/formatLiteral/formatLiteral.expected

@@ -0,0 +1,53 @@
+| test.c:14:9:14:10 |  | 1 |
+| test.c:15:9:15:14 |   | 2 |
+| test.c:16:9:16:12 | \t | 2 |
+| test.c:17:9:17:12 | %% | 2 |
+| test.c:20:9:20:12 | %c | 2 |
+| test.c:21:9:21:16 | %c%c%c | 4 |
+| test.c:24:9:24:23 | Hello, world! | 14 |
+| test.c:25:9:25:12 | %s | 14 |
+| test.c:26:9:26:14 | %.4s | 5 |
+| test.c:27:9:27:16 | %s, %s | 14 |
+| test.c:30:9:30:12 | %i | 12 |
+| test.c:31:9:31:14 | %lli | 12 |
+| test.c:32:9:32:12 | %i | 12 |
+| test.c:33:9:33:14 | %lli | 21 |
+| test.c:34:9:34:12 | %d | 12 |
+| test.c:35:9:35:12 | %u | 11 |
+| test.c:36:9:36:12 | %x | 9 |
+| test.c:37:9:37:12 | %X | 9 |
+| test.c:38:9:38:13 | %#x | 11 |
+| test.c:39:9:39:12 | %o | 12 |
+| test.c:40:9:40:13 | %#o | 13 |
+| test.c:43:9:43:12 | %f | 318 |
+| test.c:44:9:44:14 | %.2f | 314 |
+| test.c:45:9:45:12 | %e | 15 |
+| test.c:59:10:59:14 | %Ii | 12 |
+| test.c:66:10:66:14 | %zu | 21 |
+| test.c:67:10:67:14 | %Zu | 21 |
+| test.c:74:10:74:14 | %lc | 2 |
+| test.c:78:9:78:20 | %2$i, %1$i | 5 |
+| test.c:79:9:79:20 | %2$i, %1$i | 25 |
+| test.c:81:9:81:24 | %2$02i %1$4.2f |  |
+| test.c:85:10:85:18 | %2$*1$d |  |
+| test.c:86:10:86:19 | %2$0*1$d |  |
+| test.c:92:10:92:19 | %2$.*1$f |  |
+| test.c:99:10:99:12 | # | 2 |
+| test.c:100:10:100:13 | %% | 2 |
+| test.c:101:10:101:15 | %%%% | 3 |
+| test.c:102:10:102:15 | %%%f | 319 |
+| test.c:103:10:103:17 | %%%%%f | 320 |
+| test.c:104:10:104:18 | %4.2f%% | 315 |
+| test.c:105:10:105:17 | %%%f%% | 320 |
+| test.c:112:10:112:13 | %f | 318 |
+| test.c:113:10:113:15 | %.1f | 313 |
+| test.c:114:10:114:14 | %1f | 318 |
+| test.c:115:10:115:16 | %1.1f | 313 |
+| test.c:116:10:116:13 | %e | 15 |
+| test.c:117:10:117:15 | %.2e | 11 |
+| test.c:118:10:118:14 | %3e | 15 |
+| test.c:119:10:119:16 | %3.2e | 11 |
+| test.c:120:10:120:13 | %g | 15 |
+| test.c:121:10:121:15 | %.1g | 10 |
+| test.c:122:10:122:14 | %4g | 15 |
+| test.c:123:10:123:16 | %4.1g | 10 |

cpp/ql/test/library-tests/printf/formatLiteral/formatLiteral.ql

@@ -0,0 +1,4 @@
+import semmle.code.cpp.commons.Printf
+
+from FormatLiteral fl
+select fl, concat(fl.getMaxConvertedLength().toString(), ", ")

cpp/ql/test/library-tests/printf/formatLiteral/formatType.expected

@@ -0,0 +1,51 @@
+| test.c:20:9:20:12 | %c | 0 |  | c |  | file://:0:0:0:0 | char |
+| test.c:21:9:21:16 | %c%c%c | 0 |  | c |  | file://:0:0:0:0 | char |
+| test.c:21:9:21:16 | %c%c%c | 1 |  | c |  | file://:0:0:0:0 | char |
+| test.c:21:9:21:16 | %c%c%c | 2 |  | c |  | file://:0:0:0:0 | char |
+| test.c:25:9:25:12 | %s | 0 |  | s |  | file://:0:0:0:0 | char * |
+| test.c:26:9:26:14 | %.4s | 0 |  | s |  | file://:0:0:0:0 | char * |
+| test.c:27:9:27:16 | %s, %s | 0 |  | s |  | file://:0:0:0:0 | char * |
+| test.c:27:9:27:16 | %s, %s | 1 |  | s |  | file://:0:0:0:0 | char * |
+| test.c:30:9:30:12 | %i | 0 |  | i |  | file://:0:0:0:0 | int |
+| test.c:31:9:31:14 | %lli | 0 |  | i | ll | file://:0:0:0:0 | long long |
+| test.c:32:9:32:12 | %i | 0 |  | i |  | file://:0:0:0:0 | int |
+| test.c:33:9:33:14 | %lli | 0 |  | i | ll | file://:0:0:0:0 | long long |
+| test.c:34:9:34:12 | %d | 0 |  | d |  | file://:0:0:0:0 | int |
+| test.c:35:9:35:12 | %u | 0 |  | u |  | file://:0:0:0:0 | unsigned int |
+| test.c:36:9:36:12 | %x | 0 |  | x |  | file://:0:0:0:0 | unsigned int |
+| test.c:37:9:37:12 | %X | 0 |  | X |  | file://:0:0:0:0 | unsigned int |
+| test.c:38:9:38:13 | %#x | 0 |  | x |  | file://:0:0:0:0 | unsigned int |
+| test.c:39:9:39:12 | %o | 0 |  | o |  | file://:0:0:0:0 | unsigned int |
+| test.c:40:9:40:13 | %#o | 0 |  | o |  | file://:0:0:0:0 | unsigned int |
+| test.c:43:9:43:12 | %f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:44:9:44:14 | %.2f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:45:9:45:12 | %e | 0 |  | e |  | file://:0:0:0:0 | double |
+| test.c:59:10:59:14 | %Ii | 0 |  | i |  | file://:0:0:0:0 | int |
+| test.c:66:10:66:14 | %zu | 0 |  | u | z | test.c:50:27:50:32 | size_t |
+| test.c:67:10:67:14 | %Zu | 0 |  | u | Z | test.c:50:27:50:32 | size_t |
+| test.c:74:10:74:14 | %lc | 0 |  | c | l | file://:0:0:0:0 | wchar_t |
+| test.c:78:9:78:20 | %2$i, %1$i | 0 | 2$ | i |  | file://:0:0:0:0 | int |
+| test.c:78:9:78:20 | %2$i, %1$i | 1 | 1$ | i |  | file://:0:0:0:0 | int |
+| test.c:79:9:79:20 | %2$i, %1$i | 0 | 2$ | i |  | file://:0:0:0:0 | int |
+| test.c:79:9:79:20 | %2$i, %1$i | 1 | 1$ | i |  | file://:0:0:0:0 | int |
+| test.c:81:9:81:24 | %2$02i %1$4.2f | 0 | 2$ | i |  | file://:0:0:0:0 | int |
+| test.c:81:9:81:24 | %2$02i %1$4.2f | 1 | 1$ | f |  | file://:0:0:0:0 | double |
+| test.c:85:10:85:18 | %2$*1$d | 0 | 2$ | d |  | file://:0:0:0:0 | int |
+| test.c:86:10:86:19 | %2$0*1$d | 0 | 2$ | d |  | file://:0:0:0:0 | int |
+| test.c:92:10:92:19 | %2$.*1$f | 0 | 2$ | f |  | file://:0:0:0:0 | double |
+| test.c:102:10:102:15 | %%%f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:103:10:103:17 | %%%%%f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:104:10:104:18 | %4.2f%% | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:105:10:105:17 | %%%f%% | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:112:10:112:13 | %f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:113:10:113:15 | %.1f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:114:10:114:14 | %1f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:115:10:115:16 | %1.1f | 0 |  | f |  | file://:0:0:0:0 | double |
+| test.c:116:10:116:13 | %e | 0 |  | e |  | file://:0:0:0:0 | double |
+| test.c:117:10:117:15 | %.2e | 0 |  | e |  | file://:0:0:0:0 | double |
+| test.c:118:10:118:14 | %3e | 0 |  | e |  | file://:0:0:0:0 | double |
+| test.c:119:10:119:16 | %3.2e | 0 |  | e |  | file://:0:0:0:0 | double |
+| test.c:120:10:120:13 | %g | 0 |  | g |  | file://:0:0:0:0 | double |
+| test.c:121:10:121:15 | %.1g | 0 |  | g |  | file://:0:0:0:0 | double |
+| test.c:122:10:122:14 | %4g | 0 |  | g |  | file://:0:0:0:0 | double |
+| test.c:123:10:123:16 | %4.1g | 0 |  | g |  | file://:0:0:0:0 | double |

cpp/ql/test/library-tests/printf/formatLiteral/formatType.ql

@@ -0,0 +1,6 @@
+import semmle.code.cpp.commons.Printf
+
+from FormatLiteral fl, int i
+select fl, i, concat(fl.getParameterField(i).toString(), ", "), fl.getConversionChar(i),
+  fl.getLength(i), concat(fl.getConversionType(i).getLocation().toString(), ", "),
+  concat(fl.getConversionType(i).toString(), ", ")

cpp/ql/test/library-tests/printf/formatLiteral/test.c

@@ -0,0 +1,125 @@
+/** standard printf functions */
+
+int printf(const char *format, ...);
+
+/** test program */
+
+int main(int argc, char *argv[])
+{
+	long long int lli;
+	double d;
+	int i;
+
+	// constant expressions
+	printf("");
+	printf("\x20");
+	printf("\t");
+	printf("%%");
+
+	// characters
+	printf("%c", 'a');
+	printf("%c%c%c", 'a', 'b', 'c');
+
+	// strings
+	printf("Hello, world!");
+	printf("%s", "Hello, world!");
+	printf("%.4s", "Hello, world!");
+	printf("%s, %s", "Hello", "world!");
+
+	// integers
+	printf("%i", i);
+	printf("%lli", i);
+	printf("%i", lli);
+	printf("%lli", lli);
+	printf("%d", i);
+	printf("%u", i);
+	printf("%x", i);
+	printf("%X", i);
+	printf("%#x", i);
+	printf("%o", i);
+	printf("%#o", i);
+
+	// doubles
+	printf("%f", d);
+	printf("%.2f", d);
+	printf("%e", d);
+
+	return 0;
+}
+
+typedef long unsigned int size_t;
+typedef unsigned int wint_t;
+
+void more_cases(int a, int b)
+{
+	// integers
+	{
+		int i;
+
+		printf("%Ii", i); // glibc 2.2 'I' prefix
+	}
+
+	// size_t
+	{
+		size_t st;
+
+		printf("%zu", st); // size_t
+		printf("%Zu", st); // non-standard synonym for 'z'
+	}
+
+	// wint_t
+	{
+		wint_t wt;
+
+		printf("%lc", wt); // wide character
+	}
+
+	// posix indexed format arguments
+	printf("%2$i, %1$i", 1, 2); // '2, 1'
+	printf("%2$i, %1$i", a, b);
+	
+	printf("%2$02i %1$4.2f", 3.3333f, 6); // 06, 3.33
+	{
+		int width, num;
+
+		printf("%2$*1$d", width, num);
+		printf("%2$0*1$d", width, num);
+	}
+	{
+		int precision;
+		float num;
+
+		printf("%2$.*1$f", precision, num);
+	}
+
+	// %%
+	{
+		float num;
+
+		printf("#");
+		printf("%%");
+		printf("%%%%");
+		printf("%%%f", num);
+		printf("%%%%%f", num);
+		printf("%4.2f%%", num);
+		printf("%%%f%%", num);
+	}
+
+	// more tests of width and precision
+	{
+		float num;
+
+		printf("%f", num);
+		printf("%.1f", num);
+		printf("%1f", num);
+		printf("%1.1f", num);
+		printf("%e", num);
+		printf("%.2e", num);
+		printf("%3e", num);
+		printf("%3.2e", num);
+		printf("%g", num);
+		printf("%.1g", num);
+		printf("%4g", num);
+		printf("%4.1g", num);
+	}
+}

cpp/ql/test/library-tests/templates/CPP-223/decls.expected

@@ -13,6 +13,7 @@
 | test.cpp:4:26:4:26 | c<<expression>> |
 | test.cpp:4:26:4:26 | c<<unnamed>> |
 | test.cpp:5:29:5:29 | e |
+| test.cpp:6:24:6:24 | f |
 | test.cpp:6:26:6:26 | (unnamed parameter 0) |
 | test.cpp:6:29:6:31 | (unnamed parameter 1) |
 | test.cpp:7:20:7:20 | f |

cpp/ql/test/qlpack.yml

@@ -1,7 +1,7 @@
 name: codeql/cpp-tests
 groups: [cpp, test]
 dependencies:
-  codeql/cpp-all: "*"
-  codeql/cpp-queries: "*"
+  codeql/cpp-all: ${workspace}
+  codeql/cpp-queries: ${workspace}
 extractor: cpp
 tests: .

cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected

@@ -3,19 +3,20 @@
 | nested.cpp:21:23:21:26 | fmt0 | The format string argument to snprintf should be constant to prevent security issues and other potential errors. |
 | nested.cpp:79:32:79:38 | call to get_fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
 | nested.cpp:87:18:87:20 | fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
-| test.cpp:50:10:50:21 | call to make_message | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:56:12:56:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:59:12:59:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:60:12:60:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:61:12:61:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:62:12:62:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:63:12:63:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:64:12:64:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:66:10:66:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:69:12:69:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:75:12:75:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:81:12:81:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:87:12:87:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:92:12:92:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:109:12:109:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
-| test.cpp:129:20:129:26 | access to array | The format string argument to sprintf should be constant to prevent security issues and other potential errors. |
+| test.cpp:51:10:51:21 | call to make_message | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:57:12:57:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:60:12:60:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:61:12:61:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:62:12:62:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:63:12:63:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:64:12:64:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:65:12:65:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:67:10:67:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:70:12:70:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:76:12:76:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:82:12:82:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:88:12:88:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:93:12:93:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:110:12:110:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| test.cpp:130:20:130:26 | access to array | The format string argument to sprintf should be constant to prevent security issues and other potential errors. |
+| test.cpp:157:12:157:15 | data | The format string argument to printf should be constant to prevent security issues and other potential errors. |

cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp

@@ -1,6 +1,7 @@
 extern "C" int printf(const char *fmt, ...);
 extern "C" int sprintf(char *buf, const char *fmt, ...);
-extern "C" char *gettext (const char *);
+extern "C" char *gettext(const char *);
+extern "C" char *strcpy(char *dst, const char *src);
 
 #define MYSPRINTF sprintf
 
@@ -150,3 +151,8 @@ void print_ith_message() {
   set_value_of(&i);
   printf(messages[i], 1U); // GOOD
 }
+
+void fmt_via_strcpy(char *data) {
+    strcpy(data, "some string");
+    printf(data); // BAD
+}

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

@@ -12,11 +12,8 @@ nodes
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | semmle.label | ... + ... |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
 #select
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -12,11 +12,8 @@ nodes
 | test.c:9:23:9:26 | argv | semmle.label | argv |
 | test.c:9:23:9:26 | argv | semmle.label | argv |
 | test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
-| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
 | test.c:17:11:17:18 | fileName | semmle.label | fileName |
 | test.c:17:11:17:18 | fileName | semmle.label | fileName |
-| test.c:17:11:17:18 | fileName | semmle.label | fileName |
-| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
 #select
 | test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -29,18 +29,13 @@ nodes
 | search.c:14:24:14:28 | *query | semmle.label | *query |
 | search.c:14:24:14:28 | query | semmle.label | query |
 | search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
-| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
 | search.c:17:8:17:12 | query | semmle.label | query |
 | search.c:17:8:17:12 | query | semmle.label | query |
-| search.c:17:8:17:12 | query | semmle.label | query |
-| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
 | search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
 | search.c:22:24:22:28 | *query | semmle.label | *query |
 | search.c:22:24:22:28 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |
-| search.c:23:39:23:43 | query | semmle.label | query |
-| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
 | search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -18,18 +18,13 @@ nodes
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
-| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
 | test.c:21:18:21:23 | query1 | semmle.label | query1 |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
-| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
 | test.cpp:43:27:43:30 | argv | semmle.label | argv |
 | test.cpp:43:27:43:30 | argv | semmle.label | argv |
 | test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
 | test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
-| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
-| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
 | test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
 #select
 | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:15:20:15:23 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -17,11 +17,8 @@ nodes
 | test.cpp:37:73:37:76 | *data | semmle.label | *data |
 | test.cpp:37:73:37:76 | data | semmle.label | data |
 | test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
-| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
 | test.cpp:43:32:43:35 | data | semmle.label | data |
 | test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
 | test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -79,15 +79,11 @@ nodes
 | test.cpp:24:30:24:36 | command | semmle.label | command |
 | test.cpp:26:10:26:16 | command | semmle.label | command |
 | test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
 | test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
 | test.cpp:29:30:29:36 | *command | semmle.label | *command |
 | test.cpp:29:30:29:36 | command | semmle.label | command |
 | test.cpp:31:10:31:16 | command | semmle.label | command |
 | test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
 | test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
 | test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
@@ -100,54 +96,36 @@ nodes
 | test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
 | test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
 | test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:63:10:63:13 | data | semmle.label | data |
 | test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
 | test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
 | test.cpp:64:10:64:16 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:64:10:64:16 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:64:10:64:16 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:64:10:64:16 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
 | test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
 | test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
 | test.cpp:65:10:65:14 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:65:10:65:14 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
 | test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
 | test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
 | test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
 | test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
 | test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
 | test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
 | test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
 | test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
 #select
 | test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:23 | call to getenv | call to getenv |
 | test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:23 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -56,42 +56,30 @@ nodes
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
-| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
 | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
 | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
-| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
-| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:29:28:29:31 | argv | semmle.label | argv |
 | tests.c:29:28:29:31 | argv | semmle.label | argv |
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
-| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
-| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
 | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
-| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
-| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
 | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
 | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
-| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
-| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
 #select
 | tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected

@@ -27,26 +27,18 @@ nodes
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | semmle.label | ... + ... |
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
-| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
-| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
 | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | semmle.label | ... + ... |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
 | char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... | semmle.label | (const char *)... |
-| char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... | semmle.label | (const char *)... |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
-| char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
-| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... | semmle.label | (const char *)... |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... | semmle.label | (const char *)... |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
 #select
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | recv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -272,29 +272,20 @@ nodes
 | argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
 | argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
 | argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
 | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
-| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
-| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
 | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
 | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
 | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
-| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
-| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
 | argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
 | argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
 | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
 | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
 | argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
-| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
-| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
 | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
 | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
 | argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
@@ -303,51 +294,35 @@ nodes
 | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
 | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
 | argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
 | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
 | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
 | argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
-| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
-| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
 | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
 | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
 | argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
 | argvLocal.c:107:15:107:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
-| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
-| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
-| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
 | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
 | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
 | argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
 | argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
-| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
-| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
 | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
 | argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
 | argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
 | argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
-| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
-| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
 | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
 | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
 | argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
@@ -356,108 +331,69 @@ nodes
 | argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
 | argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
 | argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
 | argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
-| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
-| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
 | argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
 | argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
 | argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
 | argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
-| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
-| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
-| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
-| argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 |
 | argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 |
 | argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
-| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
-| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
-| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
-| argvLocal.c:136:17:136:18 | i4 | semmle.label | i4 |
 | argvLocal.c:136:17:136:18 | i4 | semmle.label | i4 |
 | argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
 | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
 | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
 | argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
-| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
 | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
 | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
-| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
-| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
 | argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
 | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
 | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
 | argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
 | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
 | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
 | argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
-| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
-| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
 | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
 | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
 | argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
-| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
 | argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
 | argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
 | argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
 | argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
-| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
-| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
 | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
 | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
 | argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
-| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
 | argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
 | argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
 | argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
-| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
 | argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
-| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
 | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
 | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
-| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
-| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
 | argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
 | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
 | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
 | argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
-| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
-| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
-| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
-| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
 | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
 | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
 | argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
-| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
 | argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
-| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
-| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
 | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
 | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
 #select

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected

@@ -83,70 +83,50 @@ nodes
 | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
 | funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
 | funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
 | funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
-| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
 | funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
 | funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
 | funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
 | funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
-| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
 | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
 | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
 | funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
 | funcsLocal.c:31:19:31:21 | i41 | semmle.label | i41 |
 | funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
 | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
-| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
-| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
 | funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
 | funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
 | funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
 | funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
 | funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
-| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
 | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
 | funcsLocal.c:41:18:41:20 | i61 | semmle.label | i61 |
 | funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
 | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
-| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
-| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
 | funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument |
 | funcsLocal.c:47:9:47:11 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:47:9:47:11 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
-| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
-| funcsLocal.c:47:9:47:11 | * ... indirection | semmle.label | * ... indirection |
 | funcsLocal.c:47:9:47:11 | * ... indirection | semmle.label | * ... indirection |
 | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:53:9:53:11 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:53:9:53:11 | (const char *)... | semmle.label | (const char *)... |
-| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:53:9:53:11 | * ... indirection | semmle.label | * ... indirection |
-| funcsLocal.c:53:9:53:11 | * ... indirection | semmle.label | * ... indirection |
-| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
 | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
 | funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
-| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
 #select
 | funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | i1 | fread |
 | funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | i3 | fgets |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected

@@ -90,12 +90,10 @@ nodes
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:24:11:24:14 | argv indirection | semmle.label | argv indirection |
 | globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
-| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
@@ -106,12 +104,10 @@ nodes
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
-| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
@@ -120,12 +116,10 @@ nodes
 | globalVars.c:41:15:41:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
-| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
 #select
 | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected

@@ -90,12 +90,10 @@ nodes
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:24:11:24:14 | argv indirection | semmle.label | argv indirection |
 | globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
-| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
@@ -106,12 +104,10 @@ nodes
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
-| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
@@ -120,12 +116,10 @@ nodes
 | globalVars.c:41:15:41:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
-| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
-| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
 #select
 | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected

@@ -92,101 +92,68 @@ nodes
 | ifs.c:61:8:61:11 | argv | semmle.label | argv |
 | ifs.c:61:8:61:11 | argv | semmle.label | argv |
 | ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
 | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
-| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
-| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
 | ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
 | ifs.c:68:8:68:11 | argv | semmle.label | argv |
 | ifs.c:68:8:68:11 | argv | semmle.label | argv |
 | ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
 | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
-| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
-| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
 | ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
 | ifs.c:74:8:74:11 | argv | semmle.label | argv |
 | ifs.c:74:8:74:11 | argv | semmle.label | argv |
 | ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
 | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
-| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
-| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
 | ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
 | ifs.c:80:8:80:11 | argv | semmle.label | argv |
 | ifs.c:80:8:80:11 | argv | semmle.label | argv |
 | ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
 | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
-| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
-| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
 | ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
 | ifs.c:86:8:86:11 | argv | semmle.label | argv |
 | ifs.c:86:8:86:11 | argv | semmle.label | argv |
 | ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
 | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
-| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
-| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
 | ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
 | ifs.c:92:8:92:11 | argv | semmle.label | argv |
 | ifs.c:92:8:92:11 | argv | semmle.label | argv |
 | ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
 | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
 | ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
 | ifs.c:98:8:98:11 | argv | semmle.label | argv |
 | ifs.c:98:8:98:11 | argv | semmle.label | argv |
 | ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
 | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
 | ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
 | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
-| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
-| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
 | ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
 | ifs.c:111:8:111:11 | argv | semmle.label | argv |
 | ifs.c:111:8:111:11 | argv | semmle.label | argv |
 | ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
 | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
-| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
-| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
 | ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
 | ifs.c:117:8:117:11 | argv | semmle.label | argv |
 | ifs.c:117:8:117:11 | argv | semmle.label | argv |
 | ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
 | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
-| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
-| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
 | ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
 | ifs.c:123:8:123:11 | argv | semmle.label | argv |
 | ifs.c:123:8:123:11 | argv | semmle.label | argv |
 | ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
 | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
 | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
-| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
-| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
 | ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
 #select
 | ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:61:8:61:11 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected

@@ -9,6 +9,5 @@ nodes
 | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
 | examples.cpp:66:11:66:14 | data | semmle.label | data |
 | examples.cpp:66:11:66:14 | data | semmle.label | data |
-| examples.cpp:66:11:66:14 | data | semmle.label | data |
 #select
 | examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | & ... | User-provided value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected

@@ -28,7 +28,6 @@ nodes
 | test2.cpp:12:21:12:21 | v | semmle.label | v |
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
-| test2.cpp:14:11:14:11 | v | semmle.label | v |
 | test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
 | test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
 | test2.cpp:27:13:27:13 | v | semmle.label | v |
@@ -37,26 +36,21 @@ nodes
 | test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
 | test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
 | test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
-| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
 | test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
-| test5.cpp:19:6:19:6 | y | semmle.label | y |
 | test.c:11:29:11:32 | argv | semmle.label | argv |
 | test.c:11:29:11:32 | argv | semmle.label | argv |
 | test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
 | test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
-| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
 | test.c:41:17:41:20 | argv | semmle.label | argv |
 | test.c:41:17:41:20 | argv | semmle.label | argv |
 | test.c:44:7:44:10 | len2 | semmle.label | len2 |
 | test.c:44:7:44:10 | len2 | semmle.label | len2 |
-| test.c:44:7:44:10 | len2 | semmle.label | len2 |
 | test.c:51:17:51:20 | argv | semmle.label | argv |
 | test.c:51:17:51:20 | argv | semmle.label | argv |
 | test.c:54:7:54:10 | len3 | semmle.label | len3 |
 | test.c:54:7:54:10 | len3 | semmle.label | len3 |
-| test.c:54:7:54:10 | len3 | semmle.label | len3 |
 #select
 | test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
 | test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml

@@ -2,7 +2,7 @@
 name: codeql/cpp-tests-cwe-190-tainted
 groups: [cpp, test]
 dependencies:
-  codeql/cpp-all: "*"
-  codeql/cpp-queries: "*"
+  codeql/cpp-all: ${workspace}
+  codeql/cpp-queries: ${workspace}
 extractor: cpp
 tests: .

cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected

@@ -23,22 +23,16 @@ nodes
 | test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:20:14:20:20 | address | semmle.label | address |
 | test.cpp:20:14:20:20 | address | semmle.label | address |
-| test.cpp:20:14:20:20 | address | semmle.label | address |
-| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
 | test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
 | test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
 | test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:31:14:31:20 | address | semmle.label | address |
 | test.cpp:31:14:31:20 | address | semmle.label | address |
-| test.cpp:31:14:31:20 | address | semmle.label | address |
-| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
 | test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
 | test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
 | test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:42:14:42:20 | address | semmle.label | address |
 | test.cpp:42:14:42:20 | address | semmle.label | address |
-| test.cpp:42:14:42:20 | address | semmle.label | address |
-| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
 | test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
 #select
 | test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected

@@ -9,6 +9,5 @@ nodes
 | test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
 | test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
-| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
 #select
 | test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@. | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |

cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.expected

@@ -0,0 +1,3 @@
+| test.cpp:5:7:5:12 | Class2 | AV Rule 76: A copy constructor and an assignment operator shall be declared for classes that contain pointers to data items or nontrivial destructors. |
+| test.cpp:16:7:16:12 | Class3 | AV Rule 76: A copy constructor and an assignment operator shall be declared for classes that contain pointers to data items or nontrivial destructors. |
+| test.cpp:33:7:33:12 | Class4 | AV Rule 76: A copy constructor and an assignment operator shall be declared for classes that contain pointers to data items or nontrivial destructors. |

cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref

@@ -0,0 +1 @@
+jsf/4.10 Classes/AV Rule 76.ql

cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp

@@ -0,0 +1,96 @@
+class Class1 // good: no pointer members, default assignment operator and copy constructor
+{
+};
+
+class Class2 // bad: pointer members, default assignment operator and copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class2(int* a):_a(a)
+    {
+    }
+};
+
+class Class3 // bad: pointer members, custom assignment operator and default copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class3(int* a) :_a(a)
+    {
+    }
+
+    Class3& operator=(const Class3& rhs)
+    {
+        this->_a = rhs._a;
+        return *this;
+    }
+};
+
+class Class4 // bad: pointer members, default assignment operator and custom copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class4(int* a) :_a(a)
+    {
+    }
+
+    Class4(const Class4& rhs):_a(rhs._a)
+    {
+    }
+};
+
+class Class5  // good: pointer members, custom assignment operator and copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class5(int* a) :_a(a)
+    {
+    }
+
+    Class5(const Class5& rhs) :_a(rhs._a)
+    {
+    }
+
+    Class5& operator=(const Class5& rhs)
+    {
+        this->_a = rhs._a;
+        return *this;
+    }
+};
+
+class Class6 // good: pointer members, deleted assignment operator and copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class6(int* a) :_a(a)
+    {
+    }
+
+    Class6& operator=(const Class6& rhs) = delete;
+    Class6(const Class6& rhs) = delete;
+};
+
+class Class7 // good: pointer members, disallowed assignment operator and copy constructor
+{
+private:
+    int* _a;
+
+public:
+    Class7(int* a) :_a(a)
+    {
+    }
+
+private:
+    Class7& operator=(const Class7& rhs); // no implementation to get linker error!
+    Class7(const Class7& rhs); // no implementation to get linker error!
+};

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,8 +1,8 @@
 name: codeql/csharp-solorigate-all
-version: 1.3.2
+version: 1.3.3
 groups:
     - csharp
     - solorigate
 library: true
 dependencies:
-    codeql/csharp-all: "*"
+    codeql/csharp-all: ${workspace}

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,9 +1,9 @@
 name: codeql/csharp-solorigate-queries
-version: 1.3.2
+version: 1.3.3
 groups:
     - csharp
     - solorigate
 defaultSuiteFile: codeql-suites/solorigate.qls
 dependencies:
-    codeql/csharp-all: "*"
-    codeql/csharp-solorigate-all: "*"
+    codeql/csharp-all: ${workspace}
+    codeql/csharp-solorigate-all: ${workspace}

csharp/ql/campaigns/Solorigate/test/qlpack.yml

@@ -4,9 +4,9 @@ groups:
     - solorigate
     - test
 dependencies:
-  codeql/csharp-all: "*"
-  codeql/csharp-queries: "*"
-  codeql/csharp-solorigate-all: "*"
-  codeql/csharp-solorigate-queries: "*"
+  codeql/csharp-all: ${workspace}
+  codeql/csharp-queries: ${workspace}
+  codeql/csharp-solorigate-all: ${workspace}
+  codeql/csharp-solorigate-queries: ${workspace}
 extractor: csharp
 tests: .

csharp/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-csharp-consistency-queries
 groups: [csharp, test, consistency-queries]
 dependencies:
-  codeql/csharp-all: "*"
+  codeql/csharp-all: ${workspace}
 extractor: csharp

csharp/ql/examples/qlpack.yml

@@ -3,4 +3,4 @@ groups:
   - csharp
   - examples
 dependencies:
-  codeql/csharp-all: "*"
+  codeql/csharp-all: ${workspace}

csharp/ql/integration-tests/qlpack.yml

@@ -1,2 +1,2 @@
-libraryPathDependencies:
-  - codeql-csharp
+dependencies:
+  codeql/csharp-all: '*'